View Single Post
Old 9th July 2009
birdmansdomain birdmansdomain is offline
Port Guard
 
Join Date: Jun 2009
Posts: 13
Default

Quote:
Testing from the internal LAN

As explained in http://www.openbsd.dk/faq/pf/rdr.html#reflect accessing the external IP from the internal LAN does not cause redirection to work.
You, or a friend, really needs to test from the Internet side.
I have been testing externally the whole time

Quote:
Routing

The default gateway of the box receiving the redirected traffic should be correct.

If you redirect traffic to the internal LAN, the internal NIC of the firewall should be set as the default gateway.
In case you use a DMZ the DMZ NIC of the firewall is the default gateway.

If you forget this, like I did a couple of times, tcpdump will not show any blocked packets. Running tcpdump on the server NIC will even show the packets coming in.The server just doesn't know how to route the it's answer packets.
I have 2 internal nics, 1 wireless other wired on initial setup if my gateway was setup for the wired nic IP the wireless would not access internet but wired would. I changed gateway to other nic's IP and both were able to access internet. That problem was solved. Should i set my gateway to the IP of external nic???? not sure of the implications of doing so, so i haven't.


Quote:
I don't understand why so many people who are new to OpenBSD/pf create(..copy&paste) unimaginably complex rulesets without first confirming they work in their specific setup.

You should always start simple, which will be beneficial.. especially if you're just learning.
I didnt think this was that complex considering the scope of PF's abilities. BTW i didnt copy and paste either so thank you for the assumption. This pf.conf has been working for me for quite a while and the only thing that was added was the
rdr pass on $ext_if proto { tcp udp } from any to any port 80 -> $server port 80
pass in log quick on $ext_if proto { tcp udp } from any to $server port 80 flags S/SA

the original pf.conf i created was from reading the pf man pages.

Isn't "pass in log quick on $ext_if proto { tcp udp } from any to $server port 80 flags S/SA" a dedicated pass rule????

Also i apologise for my attitude this has made me really pissy past day. Anyways heres my pf.conf WITH log put in there for some of you.

Quote:
ext_if="em0"
int_if="re0"
wifi_if="ral0"
server="{ 192.168.0.10 }"
icmp_types="echoreq"
tcp_flags="flags S/SA keep state"
table <abusers> persist file "/etc/ssh-violate"

set require-order no
set skip on lo
scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if proto { tcp udp } from any to any port 80 -> $server port 80

block drop log all
block in log quick from <abusers>

pass out log on $ext_if proto tcp from any to any flags S/SA
pass out log on $ext_if proto { udp,icmp } from any to any

pass in log quick inet proto icmp all icmp-type $icmp_types
pass in log quick on $ext_if proto { tcp udp } from any to $server port 80 flags S/SA
pass in log quick on $wifi_if proto tcp to ($wifi_if) port ssh $tcp_flags (max-src-conn 8, max-src-conn-rate 15/5, overload <abusers> flush global)

pass quick on { lo, $int_if, $wifi_if }

antispoof quick for { lo, $int_if, $ext_if, $wifi_if }
Quote:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5


re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:18:e7:18:3d:34
priority: 0
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::218:e7ff:fe18:3d34%re0 prefixlen 64 scopeid 0x1


em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:60:47:d3:9c
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::20d:60ff:fe47:d39c%em0 prefixlen 64 scopeid 0x2
inet *.*.*.* netmask 0xfffffc00 broadcast 255.255.255.255


ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:1d:6a:3a:48:66
priority: 0
groups: wlan
media: IEEE802.11 autoselect hostap
status: active
ieee80211: nwid Phreaks chan 2 bssid 00:1d:6a:3a:48:66
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::21d:6aff:fe3a:4866%ral0 prefixlen 64 scopeid 0x3


pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
priority: 0
groups: pflog
Reply With Quote